Slashdot Mirror
Linus Torvalds Clarifies His Position on Signed Modules
An anonymous reader writes "No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs. But, how Linux should handle the fixes required to deal with this problem remains a hot-button issue. Now, as the debate continues hot and heavy, Linus Torvalds, Linux's founder and de facto leader, spells out how he thinks Linux should deal with Secure Boot keys."
And it's not in the control of Microsoft: distros should sign only the modules they provide with their key, with user built modules signed by locally generated keys (since, as SSL certification authority break-ins have shown, centralized trust systems are prone to abuse and offer dubious security benefits). Basically, no love for proprietary kernel modules.
Keep it up.
What are you smoking? He just provided guidelines for using keys while running Linux. He didn't say UEFI is evil, he just doesn't want sign off the ability to boot Linux on UEFI+Secure Boot to some big company.
People aren't scrambling to get Windows 8. Shall we chalk Windows 8 up to another Microsoft failure (much like Vista and ME)?
Stop trolling please.
Nice try, Ballmer.
Wouldn't it be better to stop taking it up the ass from Microsoft and challenge them in court? Considering Microsoft were successfully litigated over browser bundling I'm sure the OSS community would have an even stronger case with Secure Boot. Microsoft's OEM stranglehold is so 1998. Now the Linux kernel is everywhere surely we now have a much stronger case against Balmer and his shills.
You're a clueless M$ apologist. To begin with, UEFI is not the problem but this Micro$oft's "secure boot" which should rather be called restricted boot as it has nothing to do with security and everything to do with vendor lock-in. When a convicted monopolist starts something like this, people tend to take notice.
Q: So, what's wrong with Micro$oft?
A: How long time did you say you have? Try reading http://wayback.archive.org/web/20120116153542/http://www.msversus.org/ And then about ooxml and this "secure boot". If you're not lobotomized, you'll start to see a pattern. And it's not pretty.
The hate is real. But it's well motivated.
You're confusing him with Assange
“He’s not deformed, he’s just drunk!”
> not because this actually does anything at all to inconvenience Linux users.
Ummm ... not necessarily. Linus is concerned about two things:
1. That a Microsoft-signed Linux secure boot key could be used to hack systems. Microsoft could disable the key, which would then disable *Linux* systems. We can argue about whether Microsoft would actually do this, but understandably, Linus isn't excited about placing that kind of power in anyone else's hands.
2. Linus also says, "Before loading any third-party module, you'd better make sure you ask the user for permission. On the console. Not using keys."
Linus can be a tyrant and an anus, but I like where his heart is at. The best quote is this Linux's approach to UEFI is (again quoting), "based on REAL SECURITY and on PUTTING THE USER FIRST."
Agree or disagree, don't just dismiss this as the usual "Microsoft bashing." I'm not a Microsoft hater; we use their stuff alongside F/OSS all over our workplace. I prefer Linux, but I don't hate Microsoft. But I am very concerned about this whole UEFI thing and the way it's shaping up.
So is Linus ... and in his usual, inimitable fashion is telling everyone how he feels. :)
Cogito, igitur comedam pizza.
Could microsoft refuse to sign a uefi binary because it violated their patents? If so, this could be a way to get everyone using linux to pay them.
Yeah, and? You say that like it's a bad thing.
Eh, once 3D printers come with their own smelters (throw a pile of rocks in the bin and the machine will sort it out.), this won't be a problem anymore.
“He’s not deformed, he’s just drunk!”
"you can load keys of your choice"
I think this is the biggest, and most complained about, assumption in all the debacle. If it was true, the Microsoft key issue wouldn't exist (we'd just have a "Linus key" and that would be the end of it).
Sure, MS give lip service to this but there's nothing that guarantees it will be available. Nothing at all. You can turn Secure Boot off, but then you've had BIOS engineers working on a feature that you then turn off because it doesn't work as you need it to.
But nothing guarantees that every user will ever be able to add a key to their own machines, nor that machines would ever come supplied in a way that would ever suggest that's what needed.
Having just fixed a 2012-issue BIOS bug a few months ago, and it being pretty much par for the course with even the larger consumer manufacturers to have such bugs, I don't trust that a BIOS option to enter a key I trust will be present in machines before I've bought them.
The bug I reported (and had to get a custom BIOS patch for)? A whole series of laptop machines from my normal supplier, using big-name BIOS's, motherboards, and other components (and Windows 7 stickers on them!), would refuse to boot if a certain offset on the selected bootable partition on the first disk was not zero.
That offset is actually always zero on a plain Windows NTFS drive. On Linux, or any other filesystem, it is not. On any encrypted system - even with an NTFS partition - (we discovered the problem using Truecrypt), it was not.
You could not fake partitions and juggle them around - whatever the bootable partition was was checked, no matter what the filesystem signature on it. God knows what happens if you use GPT and equivalents. Even chain-loading from partitions was next-to-impossible to set up with booting into an encrypted Windows setup (you would have to boot from an unencrypted NTFS partition into an encrypted one somehow and even playing games with syslinux etc. it was too difficult to even demonstrate a single working example, let alone deploy company-wide) .
Any non-zero byte in that position on the disk, which could be verified with a hex-editor on a blank disk, rendered the machine unbootable. Black screen, no boot options, no truecrypt loader, it just stopped. Zero the byte and it would happily boot again.
Yes, it's stupid and it SHOULD NOT HAPPEN. But only our threat of sending many thousands of pounds worth of laptops back because they did not fulfill the stated purpose actually prompted the reseller to nudge the manufacturer to nudge the board supplier, to nudge the BIOS supplier, to hack up a dirty patch to their BIOS labelled with all sorts of beta /not for distribution / etc. warnings. And even that, it was a close run thing because the reseller was ready to just say "not our problem, it runs Windows which we supplied with it" at any second and only the threat of a lot of future business prompted any sort of action from them.
UEFI just puts an unnecessary burden of responsibility onto BIOS manufacturers and Microsoft. And the vast majority of BIOS manufacturers (even AMI, Pegasus, etc.) are inherently bad and aim at making machines that boot only Windows and then walk away saying "not my problem". Try finding a machine with valid ACPI tables, the problem has actually got WORSE since ACPI become commonplace and in every machine.
Samsung only the other week had a problem where a BIOS issue can cause a complete machine bricking no matter what the OS, but Windows triggers it less because it doesn't do certain things that are perfectly reasonable to do by the standards.
Nobody *cares* what *SHOULD* work. They care what could *NOT* work. And relying on your BIOS manufacturer to be able to boot Linux successfully is, historically, one of the most contentious areas of computer manufacture ever.
Linus Torvalds is the Kanye West of the open source community. He needs to calm down or risk making the entire community look like angry little boys. Yelling every time you're upset is unprofessional and no way to work with people.
Pronounced "doofy"
Instead of screwing around with politics, I have a much better idea...
Replace the kernel idle loop with a UEFI signing key cracker. Let it chow down on Microsoft's key.
Especially some big company that has already been hacked and had its certificates compromised in the past.
Seven puppies were harmed during the making of this post.
The surgeon general warns that MS is an infectious cunt.
Picture a 60 year old crack whore who has been turning tricks in the ghetto for 45 years. Would you fuck it? That's what you're doing when you deal with microsoft. If you don't want your penis to rot away, then don't fuck crack whores, and don't run Micro$oft.
I think this entire issue needs to be looked at by the Attorney General and Federal Trade Commission. The SecureBoot UEFI is nothing more than a form of vendor lock-in, cleverly (or not so much) disguised as a security innovation. Please sign my petition and spread the word: http://wh.gov/wHLq
Microsoft = small, soft
Their business model has outgrown the company name. They are big and hard. So big, that they can get by with some shit like this. Hard because their head is hard.
Them getting with the hardware designers and creating this secure boot shit, just so it's harder for pirates to pirate a copy of windows8, is the same thing as GM getting with the folks that make roads, and have them install a switch that can disable ALL CARS if GM decides. GM can just state, "What if a GM car is stolen? How are we supposed to be expected to recover the losses?"
So here is another car manufacturer saying that he's not willing to put the GM parts into his cars. That's all. Our world's problems are getting so stupid, that it's sorta hard to tell/believe what's going on.
I think everyone should read the lyrics to "Wish You Were Here" by Pink Floyd. Or maybe another band should release a song called "I wish we weren't here". Again, hard to tell...
"Sure, MS give lip service to this but there's nothing that guarantees it will be available. Nothing at all."
Yes, there is. I quote http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256, "Windows Hardware Certification Requirements for Client and Server Systems":
"Mandatory. On non-ARM systems, the platform MUST implement the ability for a physically present user to select between two Secure Boot modes in firmware setup: "Custom" and "Standard". Custom Mode allows for more flexibility as specified in the following:
It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.
If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off.
The firmware setup shall indicate if Secure Boot is turned on, and if it is operated in Standard or Custom Mode. The firmware setup must provide an option to return from Custom to Standard Mode which restores the factory defaults. On an ARM system, it is forbidden to enable Custom Mode. Only Standard Mode may be enabled."
No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs.
I don't believe this. There's always one lunatic out there so in love witn Microsoft "technologies" that they'll love this. Miguel?
SJW n. One who posts facts.
"That a Microsoft-signed Linux secure boot key could be used to hack systems. Microsoft could disable the key, which would then disable *Linux* systems. We can argue about whether Microsoft would actually do this, but understandably, Linus isn't excited about placing that kind of power in anyone else's hands."
You're actually reading Linus' argument exactly backwards.
Howells and Garrett argue that revocation is a significant possibility, _therefore_ we (distributions) need to do kernel module signing (because unsigned kernel modules are an attack vector against a Windows install on the same system). One strand of Torvalds' argument is that MS is never going to revoke any keys anyway, therefore we (distributions) don't need to bother. There are other strands to his argument, but that's how the revocation one goes. That's what http://marc.info/?l=linux-kernel&m=136185309010028&w=2 is about: key revocation is what he describes as an 'unlikely and bogus scenario'.
"No one, but no one, in the Linux community likes Microsoft's mandated deployment of the Unified Extensible Firmware Interface (UEFI) Secure Boot option in Windows 8 certified PCs"
Proof required.
And I could just as easily call the Tivo requiring a SIGNED BOOT to run linux that only Tivo can give out as PRECISELY THE SAME THING. But apparently, for no reason, "the linux community" doesn't mind this.
I guess the new anon cow defines "the linux community" as "those who like Tivo signed bootloaders and hate Microsoft signed bootloaders".
It's important to note, though, that Linus isn't saying this just because "Itz Micro$OFT OMG run!11!!" Another nice quote from Linus:
"Encourage things like per-host random keys--with the stupid UEFI checks disabled entirely if required. They are almost certainly going to be *more* secure than depending on some crazy root of trust based on a big company, with key signing authorities that trust anybody with a credit card. Try to teach people about things like that instead."
Like I said elsewhere, Linus can be a big, furry anus, but all he cares about is his baby: the Linux kernel, keeping it free, and giving maximum freedom to the *USER*. I like that.
Cogito, igitur comedam pizza.
That's actually what Linus is arguing FOR.
It's the people trying to hand the whole thing over to Microsoft he's yelling at.
Except Microslop could change what passes for their mind tomorrow and there would be no recourse.
The problem is that giving freedom to uneducated user is the worst security practice.
About 50 BogoMips.
So what have you, oh AC, accomplished then that gives you the ability to judge his ego? His being the leading figure in one of the largest distributed projects in human history not enough for you?
Somebody gets it:
Imagine if someone invented a protocol like ssh, but then suggested that of course, nobody should be able to use it except in situations where a host's key is signed by one of the global CAs, like we do on the web except without the possibility of self-signing or for new CAs to enter the market.
Nobody would call that "secure." They would call it a joke which goes out of its way to be less secure, by deliberately adding an untrustable link. And the fix to such a protocol would be obvious. Well, that's just what Linus did in the above paragraph: he told you how to turn SecureBoot from "just plain stupid" into "decent even if still mostly useless."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Linus can be a tyrant and an anus, but I like where his heart is at.
He's an asshole, but an asshole that gets shit done.
Kidding aside...
The best quote is this Linux's approach to UEFI is (again quoting), "based on REAL SECURITY and on PUTTING THE USER FIRST."
Indeed. Too many people seem to be focussing on the technical details and not on how this will actually work. UEFI can be OK (though I don't really see the improvement over Open Firmeware or Coreboot, but that's another discussion).
Sure, you can disable the secureboot and you can add your own keys. And in theory, the board vendors can add keys from multiple authorities.
In practice, that's not how it will happen. What people want it to load an OS on to their computer with minimal fuss, which means having the signed bootloader, signed by Microsoft.
Even ignoring the implications of having Microsoft in particular in that position of power, having one organisation there is just not a good idea. All one has to do it look at the various hacks and cracks against big organisations and their cryptographic stuff (e.g. Sony's PS3 master key, HDCP, various SSL hacks) to see that even with the best of intentions security wise, they are just not trustworthy.
SJW n. One who posts facts.
Microsoft could disable the key, which would then disable *Linux* systems.
Future Linux systems, until a new key is obtained. Unless you're suggesting that Secure Boot will connect to the Internet to obtain a CRL.
And if it didn't have one, you get your money back, including your P&P costs?
No, you won't.
And it won't be on the "Specifications" screen, either. So you'll buy it, find it doesn't work, return it and find you're still down for 80% of the cost of the motherboard because you had to pay for P&P both ways.
And there's no way to write down on your purchase order that you want to be able to install Linux on it, or turn off Secure Boot.
but Windows triggers it less because it doesn't do certain things that are perfectly reasonable to do by the standards.
I do love how someone effectively wrote a "brickme.exe" for windows to prove this point. That shows some real dedication. I wonder how many times he tested it.
SJW n. One who posts facts.
Well except some massive anti-trust lawsuits all over the world.
Also, let's not forget the "non-ARM systems" part. The fact that they're locking down anything sours me on the whole secure boot BS.
I like to think of online DRM as something akin to a college -- you pay for lessons until you learn something.
act like his wants and opinions are more important than anyone else's.
Actually, when it comes to the Linux kernel, his opinions are more important than anyone else's, because he has final say on it.
If Linus doesn't like the Intel/MS control over UEFI then let him conjure up a viable alternative and get it to market.
Like he does in the linked article?
Except that's not a rational argument, it's baseless paranoia.
I think this is the biggest, and most complained about, assumption in all the debacle. If it was true, the Microsoft key issue wouldn't exist (we'd just have a "Linus key" and that would be the end of it).
Sure, MS give lip service to this but there's nothing that guarantees it will be available. Nothing at all. You can turn Secure Boot off, but then you've had BIOS engineers working on a feature that you then turn off because it doesn't work as you need it to.
Sorry but that's just wrong.
Here's how you add your own keys(and remove Microsoft's if you want):
http://blog.hansenpartnership.com/owning-your-windows-8-uefi-platform/
Owning your Windows 8 UEFI Platform
Posted on 15 February 2013 by jejb
Even if you only ever plan to run Windows or stock distributions of Linux that already have secure boot support, I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it. The way you do this is by installing your own Platform Key. Once you have done this, you can use key database maintenance tools like keytool to edit all the keys on the Platform and move the platform programmatically from Setup Mode to User Mode and back again. This blog post describes how you go about doing this.
First Save the Variables
The first thing to do is to install and run KeyTool either directly (the platform must have secure boot turned off, because keytool is unsigned) or via the mini USB image and save all the current secure variable keys (select the ‘Save Keys’ option from the top level menu). This will save the contents of each variable as a single esl (EFI Signature List) file, so you should end up with three files: PK.esl, KEK.esl and db.esl. These files can later be used to restore the contents if something goes wrong in the updates (and because some platforms put you into setup mode by erasing the contents of all the secure variables), so save them in a safe place.
Use the UEFI Menus to remove the Platform Key
This is the step that it’s impossible to be precise about. Every UEFI platform seems to be different in how you do this. The Linux Foundation hosts a web page collecting the information but so far it only has the Intel Tunnel Mountain system on it, but if you work it out for your platform, leave me a comment describing what you did and I’ll add it to the LF page.
The most common way to get a UEFI system to display the UEFI menus is to press ESC as it boots up.
Create your own Platform Key
If you rpm installed efitools, it will automatically have created a Platform Key for you in /usr/share/efitools/keys, plus all of the PK.auth and noPK.auth files.
A platform key may be self signed, but doesn’t have to be (I’m using one signed with my root certificate). However, assuming you want to create a self-signed platform key manually, here are the steps: The standard command for doing this with openssl is
openssl req -new -x509 -newkey rsa:2048 -subj “/CN=/” -keyout PK.key -out PK.crt -days 3650 -nodes -sha256
None of the parameters for the key (Like the Common Name) matters, so you can replace with anything you like (mine says ‘James Bottomley Platform Key 2013) you can also add other X509 well known objects like your address. Once you have the two files PK.crt and PK.key, you need to save them in a safe location (PK.key is the one to guard since it’s your private key).
Next, create an EFI Signature List file with the public key in (this and the next steps require that you have either installed the efitools rpm or compiled the unix commands from efitools.git and installed them on your system)
cert-to-efi-sig-list -g PK.crt PK.esl
where is any random GUID you choose. You also need to create an empty noPK.esl file which can be used to remove the platform key again
> noPK.esl
This space for rent.
You are talking about advanced linux users. Not grandma or the little boy with gum in their hair. They know how to build a kernel and setup grub. If they don't they should learn.
NEVER NEVER NEVER NEVER NEVER NEVER NEVER NEVER GIVE UP! "No limitations, no boundaries, there is no reason for them."
It is still far preferable than giving control to anyone else.
His opinions regarding Linux are more important than anyone else's. I know you don't like it but that does not make it less true. And the best way to deal with UEFI is to disable it. Simple as that.
... he just doesn't want sign off the ability to boot Linux on UEFI+Secure Boot to some big company.
But I'll be you he would love to have control of it himself.
No: From TFA:
Torvalds concluded, "It really shouldn't be about Microsoft blessings, it should be about the *user* blessing kernel modules. Quite frankly, *you* are what the key-hating crazies were afraid of. You peddle the "control, not security" crap-ware. The whole "Microsoft owns your machine" is *exactly* the wrong way to use keys.
He goes on to give details of how this would work (each distro has a key and users have to explicitly grant permission to install non-distro apps)
Have you met most Linux users lately? They know how to copy and paste crap from the Ubuntu forums. They had problems of their own doing in Windows, blamed "M$" and now use Linux.
That IS the lip service. Some laptops have shipped without instructions on how to get to the bios screen. They are technically compliant according to what you wrote.
How's the weather in Redmond, Mr. Ballmer? You think Linus is ranting? That's no rant, THIS is a rant (Crocodile Dundee style). We see what you're doing, you evil bastards. You know how much everyone outside your campus hates W8, and I see your fear -- that people will en-masse will buy a computer, turn it on, say "WTF??" and start looking for an alternate OS. When word spreads that Windows has lacked features compared to all other OSes for a decade now, OEMs might stop paying the "microsoft tax". My experience with Windows (I've had Windows computers since about 1996, DOS before that) hasn't been a good one. W7 seemed to change that.
It seemed to be an OK OS, despite its shortcomings. It seemed far more stable and secure than previous versions of Windows, and the notebook it came on had pretty snappy performance. I bought two more of them for my grown daughters as Christmas presents a year ago; I'd had mine for a year. Despite my grumbling about Reboot Tuesday, I didn't install Linux on it, unlike my XP tower.
I absolutely hate rebooting a Windows computer. Ironically, I don't mind a Linux reboot but you only have to reboot a Linux computer if you want to update the kernel. I've had the Linux computer running for months at a time, and only shut it off when I want to save electricity. When I do power it down to install a new piece of hardware or upgrade the memory, when I power it back up, I don't need to enter the password or reopen all my files; the OS does that for me. Without touching anything but the power switch it's as if it had never been shut down.
I discovered last week why you people demand monthly reboots -- your OS is still an unstable pile of shit. My daughter's notebook started getting sluggish, then she said the firewall refused to start and she feared a virus. My other daughter suggested to her that she wipe and reinstall Windows. Bad move! The battery ran down during the reinstall and it hibernated, now it's completely bricked. When power it up it says "Windows is starting services" (I'm thinking funeral services) and does nothing else after coming out of hibernation. Pressing the space bar to start it normally gives you the option, then goes right back to "starting services". F2 won't bring up the BIOS and the Linux installation thumb drive isn't recognized. Thanks, Microsoft, for being so god damned incompetent that you have an unbreakable infinite loop. Jesus, what moron wrote that shitty code??? A first year programming student knows better!
And, my notebook started getting flaky, not knowing whether or not it was hibernating, with the screen blacking out and the lights not going off and refusing to recognize the power button. When it flickered on for a minute I managed to shut it down. I feared a hardware failure. But after booting it back up, it was fine!
Stable, my ass. kubuntu is going on it this weekend. Note to OEMs who make laptops and tablets: if your wares have "secure" (lol) boot, you won't be getting my nerdy money.
And you, Mister Ballmer, can fucking go to hell. Actually, I'm sure you will, you evil man.
(mcgrew here, sorry I can't log in on this machine. Love that capcha... subdue)
But why is it okay to deny users of ARM systems the freedom we've all taken for granted lo these many years?
Everyone locks down ARM. It sucks when Microsoft does it, but no more than when Google does it (you can't boot whatever you like on ARM Chromebooks), or Samsung, or Apple, or...
If you want to run Linux on an ARM machine, don't buy one with Windows on it, sure.
Hardware ships with terrible firmware! Film at 11!
It is my previously stated opinion that the firmware engineers' union lists 'deep familiarity with a crack pipe' as a minimum baseline requirement for joining, so this shouldn't really _surprise_ anyone. Secure Boot sucks insofar as it's another firmware mechanism for the firmware engineers to fuck up, but it's not like we're _short_ of those.
Non-existent? I thought this was supposed to keep people from installing those obnoxious MBR loaded malware from being ported over to GPT.
That is marginally accurate of an Ubuntu user, but the other distros are still popular and have only been gaining users since Shuttleworth started sodomizing his userbase.
What do you think will happen when Windows Update runs on the Windows 8 install on the other partition?
I was expecting the link to take me to a goatse image. Maybe the article is really just an euphemism.
Views expressed do not necessarily reflect those of the author.
Now there is less reason than ever to buy laptops and computers pre-installed with the Windows operating system and to be made to pay the Windows tax. We can now turn to manufacturers that offer Linux-based machines out of the box such as ThinkPenguin, Lemote, and System 76. Add to that, even companies like HP and Dell (still?) offer pre-installed Linux machines. Previously, gamers needed Windows to run games, but now companies like Steam Valve make that a moot point. As Microsoft resorts to more aggressive tactics to ensure only their product can run on computers, we simply need no longer support manufacturers who bow to their whim. Consumers need choice and freedom and Microsoft will not facilitate this, nor will manufacturers who force people to pay for the Windows OS even though the Microsoft EULA states the consumer can get a refund if s/he does not agree to the terms and conditions. It's time the users of alternate operating systems created and supported their own ecosystem.
"SO we bide our time, waiting for a purer kick to bloom and the future is still bleak, uncertain and beautiful" -GSYBE
Yeah, and transporters and warp drives too! Gee golly.
Now read what you wrote.
"It shall be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK. *****This may be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), which puts the system into setup mode.******"
So the minimum requirement is that you can delete all the keys.
"If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off."
So when you delete the keys, SecureBoot is turned off.
There's also an option to always put the Microsoft key back in place. But that's it. At no point does it guarantee that you can enter an arbitrary key and keep secure mode on. Which is basically what I said.
And "possible" can be provided by means of, say, a supplied disk available at extra cost from the manufacturer that has to be inserted for such action to be taken at all.
Lip service.
"Sure, MS give lip service to this but there's nothing that guarantees it will be available. Nothing at all."
Yes, there is. I quote http://msdn.microsoft.com/en-US/library/windows/hardware/jj128256, "Windows Hardware Certification Requirements for Client and Server Systems":
Now please inform us as to under which conditions windows hardware certification may be revoked.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'd say end users who are at a minimum configuring and compiling their own kernel modules are rather educated.
That is marginally accurate of an Ubuntu user, but the other distros are still popular and have only been gaining users since Shuttleworth started sodomizing his userbase.
Also it misses the point entirely. Distro maintainers should decide how and why UEFI is used. It shouldn't be baked into the Linux kernel, and if you want to build your own kernel, then it's something you should decide yourself.
you can't boot whatever you like on ARM Chromebooks),
Yes you can.
"I've got more toys than Teruhisa Kitahara."
Just change the Linux operating system license from GPLv2 to proprietary and thats it!
And while doing it, just copyright all source code for Microsoft same time.
Then justice would be served...
(Yeah, just trolling as I don't have anything better to say).
Given the evidence of history, it's simple common sense.
"I've got more toys than Teruhisa Kitahara."
I'll only add this, as was pointed out by another Slashdot poster on another article:
Why not have Apple provide the keys?
It makes no sense, so it makes no sense to have Microsoft provide the keys.
I worry a bit about this turning into some issue about Microsoft, when it really has nothing to do with Microsoft. The question is why should any particular company (other than maybe the hardware manufacturer) provide the keys?
It's like democracy. It sucks but is better than everything else.
And if a user 1) lacks the technophilia to be the right person to do it, and 2) lacks the wisdom to defer to another party of their choosing (e.g. a distribution maintainer), then they are a lost cause anyway. There is no solution that is ever going to make their machine secure.
The neat thing about Free OSes is that there are many ways to approach #2, whereas proprietary OSes these days, insist that you must defer to someone (there is no option #1) and may not choose to whom you will defer.
If you happen to think that The One Party to whom you must defer, is unusually trustworthy and competent, then it seems fine. People who look at track records, though, will question the choice, and eventually it always leads to "of course they make it so that you have to trust them; if the choice were left to the computer's owner, they would never choose that company again."
Maybe it's all ancient history to you, but to me, these are the people who thought ActiveX ought to be in web browsers. These are the people who thought an OS should ship such that, by default, it loads and executes code from a CDROM when you insert it. These are the people who still (AFAIK, maybe I'm starting to get out of date) use file names (extensions) instead of permissions, to determine if a file is executable. These are the people who (again, AFAIK, maybe my prejudice is showing) basically invented the idea of a full-fledged programming language engine being in spreadsheets and word processors, which will load and run the code in a document when you load the document. Etc, etc, etc.
I would say that this one company, more than any other that we've ever heard of, has the least credibility if they ever say uneducated users shouldn't be in charge of security. Even an uneducated user isn't likely to make worse choices than Microsoft has. And now they want to be The One global root CA for all code, even outside their own OS. I would say that'd be the funniest thing ever, but then I heard something even more hilarious: some people are taking their proposal seriously.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
... he just doesn't want sign off the ability to boot Linux on UEFI+Secure Boot to some big company.
But I'll be you he would love to have control of it himself. He's done a lot of good for computing in general, but his ego and attitudes often eclipses his accomplishments.
No he does not want control of this or any thing on the users machine. That is his whole point. He wants the user to be in control not some 3rd party.
What people want it to load an OS on to their computer with minimal fuss, which means having the signed bootloader, signed by Microsoft.
The entire complaint is silly because of this very fact. The user purchased a windows certified computer with secure boot so amazingly its easy to install windows. This isn't some shocking revelation here.
You can choose what to buy and what not to buy. Your continued complaints just prove to rational people that you do not want to take responsibility for your purchasing decisions. Do you also throw a silly looking hissy fit when its hard to figure out the correct driver for a wireless card that Linux doesnt recognize?
"His name was James Damore."
Since, as recent hospital deaths due to MRSA and medical errors have shown, centralized medicine offers dubious health benefits?
Just because there have been failures doesn't make the system dubious at all. Even with all the failures accounted, SSL is a phenomenal success -- effectively protecting billions in eCommerce revenue, trillions of emails and untold other secrets. The fact that any Joe can sit down and go to ${site} and be nearly certain that their communication is authenticated and encrypted without the need to understand anything is a remarkable feat of engineering.
Notice what it says at the very top of that document:
(emphasis mine)
Those requirements are not set in stone, they can and will change over time and you have not really presented a valid reason why anyone should assume the parts you pointed out are not up for review *all the time*. Need we remind you what company we are talking about here? Please spare me any claims about turning over a new leaf, for example they are still claming Linux violates their patents without releasing any patent ID's so we can check them. History has repeatedly shown that anyone who "partners" with Microsoft (IBM, SGI, Nokia, the Mono project, etc etc etc) either fails miserably or gets stabbed in the back.
What do you think will happen when Windows Update runs on the Windows 8 install on the other partition?
Nothing, idiot. The keys are not programmable outside the bios config. If they were, Linus's argument would be even more silly.
"His name was James Damore."
An argument that obtuse could only have come from a marketing team. Are you Burson Marsteller or Waggener Edstrom?
Sorry, you're right. I had somehow got the idea that dev mode wasn't available on the Samsung, but it is.
Chrome OS dev mode is more restrictive than MS' x86 Secure Boot requirements - see http://mjg59.dreamwidth.org/22465.html - but it is indeed less restrictive than MS's *ARM* SB requirements. So indeed an ARM Chromebook is relatively a better choice than an ARM Windows RT device.
So the minimum requirement is that you can delete all the keys.
Wrong. There is no requirement that you *explicitly* can enter UEFI Setup Mode. The system vendor MAY allow such an explicit option, but the MINIMUM requirement is that he MUST allow Setup Mode to be entered by deleting all keys.
Read what you quoted again, please:
1) It SHALL be possible for a physically present user to use the Custom Mode firmware setup option to modify the contents of the Secure Boot signature databases and the PK.
2) This MAY be implemented by simply providing the option to clear all Secure Boot databases (PK, KEK, db, dbx), WHICH puts the system into setup mode.
So the owner of the system can ALWAYS enter setup mode. He may have some direct way to do that, but he can ALWAYS delete the key databases, which will cause the system to go into UEFI Setup Mode.
"If the user ends up deleting the PK then, upon exiting the Custom Mode firmware setup, the system is operating in Setup Mode with SecureBoot turned off."
So when you delete the keys, SecureBoot is turned off.
Correction: When you delete the keys the system enters Setup Mode. If you choose to exit the automatically invoked setup mode WITHOUT entering a new platform key, THEN secure boot is turned off. Which makes perfect sense as there are now no keys in the firmware which could validate anything.
There's also an option to always put the Microsoft key back in place. But that's it.
No, you can enter ANY key into the Platform Key database. From http://lwn.net/Articles/447381/ : "Before a PK is loaded into the firmware, UEFI is considered to be in "setup" mode, which allows anyone to write a PK to the firmware. Writing the PK switches the firmware into "user" mode. Once in user mode, PKs and KEKs can only be written if they are signed using the private portion of the PK, though KEKs can be freely written during setup mode. Essentially, the PK is meant to authenticate the platform "owner", while the KEKs are used to authenticate other components, like operating systems."
At no point does it guarantee that you can enter an arbitrary key and keep secure mode on.
And you are wrong. The PK (Platform Key) is the "owner" key. You can enter your own key if you like.
Which is basically what I said.
But you were mistaken.
And "possible" can be provided by means of, say, a supplied disk available at extra cost from the manufacturer that has to be inserted for such action to be taken at all.
Lip service.
So, basically you are spreading FUD: *Fear* that it may incur extra costs, *uncertainty* because you choose to disregard facts and present your own speculation and conjecture as facts, and finally *doubt* as to the "real" intentions behind secure boot.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Again, you're focusing on the technical details and ignoring what actually happens. ..and the reason that this is the case is because the user purchased a windows certified computer. If the user didn't want to run windows, then why did the user buy a windows certified computer at all?
Seriously, you actually asked that? Where the hell can you but a non Windows certified motherboard?
The entire complaint is silly because of this very fact. The user purchased a windows certified computer with secure boot so amazingly its easy to install windows. This isn't some shocking revelation here.
Are you being intentionally obtuse here? You very well know that because of the sway that MS has it is not possible to buy a motherboard which isn't certified to run windows. That means that every single desktop motherboard out there will be "windows certified".
You can choose what to buy and what not to buy.
No, you can't, not if what you want is not for sale.
Your continued complaints just prove to rational people
Out of interest, does your defintion of "rational people" include completely ignoring reality to pursue your own bizarre agenda?
SJW n. One who posts facts.
I think you are missing a layer here.
BIOS contains a key signing authority which signs keys which allows an OS to load.
The Microsoft key exists as an authority. There will probably be some fixed number of signing authorities.
In theory distributions could just pay a nominal fee (about $80 from Microsoft for example) per kernel and get signed.
RedHat decided that was a bad idea since they still wanted to support roll your own kernels without end users paying $80 per kernel and so they invented the shim system. BIOS don't boot Linux they just, if enabled, check that a simple math operation. What works for Microsoft kernels as they release service packs and patches should work equally well for Linux. If BIOS manufacturers are blowing the one, they are most likely blowing the other..
They probably aren't going to be the only signing authority on most machines. For example if you were to buy a Samsung laptop, Samsung might decide to have their own master key. I'd assume China is going to want their own master keys. I'd assume for the EU there is going to be someone other than Microsoft, say Unisys.
ARM hardware often has different financial models. It certainly has different cultures. I don't think we should think of them as a unit. You can support or oppose more open ARM entirely separately from the x86 discussion.
Pick up the phone and ask the manufacturer. That's rather classic, what support is for.
"Itz Micro$OFT OMG run!11!!"
Anyone who worked with Windows and/or Linux in the past decade or so, will have that reaction. After so many years, it's a reflex. I'm not talking about Windows itself, but the entire ecosystem, the Microsoft Zoo.
This whole UEFI issue, from another company, it would be just another idea, good or bad, it would be implemented properly over time, or quickly killed. Coming from Microsoft, it's hard to tell if they really want to lock in the customers or just to make life hard for Linux users.
news at 11, children and morons install malware and then brick a machine during the warning of 'don't turn the power off'.
Calm down. First off that's not Microsoft. They didn't write your BIOS. Second, the BIOS loads before the operating system so there is no way to "brick" a system like that. Just call the manufacturer and find out what the correct key is to get in.
Diverse inexpensive hardware in the hands of hostile end users is not trustworthy.
But... additional layers of security do make a difference. iOS has had far fewer problems that Android not because iOS is inherently more secure that Dalvik, probably the opposite, but a few extra layers of security and management. Internet browsers today are vastly more secure than those 15 years ago because of extra layers. Layers matter.
and what have you achieved to judge besides scratching your fat ass in your mom's basement?
act like his wants and opinions are more important than anyone else's.
Actually, when it comes to the Linux kernel, his opinions are more important than anyone else's, because he has final say on it.
True, but it's worth considering why it is that he has the final say. Sure, it was his baby originally, but 20 years later, Linux is an asset worth billions to many big companies with deep pockets and lots of top-notch engineers -- and it's GPLd. If, say, IBM wanted to they could fork the kernel and push their fork farther and faster, make it better-tested, more featureful and more reliable than Linus' fork. They could adopt better policies that would make contributors happier, and Linus would quickly fade into irrelevancy.
Or could they?
The fact is that Linus is still in charge of the 800-pound gorilla that Linux has become for one simple reason: he does a great job. He makes good decisions, manages the process well, and generally keeps things moving along well enough that no one is really even tempted to seriously try to fork the kernel in a way that pushes Linus out of the picture.
What all of that means is that his opinions are more important than anyone else's because he has good opinions. Not that he's perfect (in fact I can name a number of things I strongly disagree with him on), but by and large, what he says on kernel-related topics is worth listening to on its own merit. And because he has final say on it.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
And than apple waltzed in with the same "there is no option 1, trust us" model with iOS, and while it hasn't been perfect*, it is certainly a million times more secure out of the box than anything Microsoft has accomplished.
*apple is a bit too draconian in what they do and do not allow in the app store (porn and bitcoin right off the top of my head) and there are still enough security holes that advanced users can still force option 1 by jailbreaking/rooting through exploits.
Don't call me back. Give me a call back. Bye. So yeah. But bye our, well, but alright we are on a shirt this chill.
Which would take years to come to any conclusion (if at all), at which time all the damage would've been done already.
It's a shame people have to attack at a personal level rather than offer a logical reason/argument against his ideas.
Well, if you have no logical argument against his ideals and you're Steve Ballmer, what else can you do?
What f..k and s..k thing not clear enough?
Saying things like " If the user has explicitly enrolled a hash then they're stepping outside the trust model." indicates gross incompetence and fundamental non-understanding what security is. After all, all security must always reference back to the user as it is the user (and nobody else) that decides which OS/hardware/mechanism to trust in the first place. That initial security decision overrules all other considerations. If the user cannot be trusted, then all conceivable systems are broken from the start.
It is surprising how many people that have not the first idea what security is about are still active in this field. Fortunately, Linus gets it. His abrasive way of expressing himself may be controversial (although I had far, far worse and in addition complete baseless insults from customers when working as a consultant), but his competence and understanding are not in question. I really hope he stays firm on these issues, but I expect that he will.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Stop confusing everyone with facts. The facts weren't good enough when Secure Boot was announced and they sure as hell won't be good enough to swing the opinion of anyone who ignored them in the first place!
It's not "non-existent" and MS didn't make secure boot, Intel did. MS is just an end user of a now open industry standard.
Intel started creating Secure Boot many years back because customer feedback was showing demand for this feature. So they started work on the framework, got it all setup, then opened it up to the rest of the industry to be an open standard. MS decided to make use of it.
If you want to blame someone for Secure Boot, blame IT for wanting it. They were sick of computers getting hijacked on the internal network.
Microsofts incompetence is OK, because Apple does it too? You are a crazy person.
Boots in the Imperial Palace without an order from the Emperor.
If you were blocking sigs, you wouldn't have to read this.
I doubt that he's clueless, and I suspect that astroturfer is more precise than troll.
Please remember that not all anonymous cowards are the same person, or represent the same entity.
I think we've pushed this "anyone can grow up to be president" thing too far.
I'm not thrilled witht he manufacturers controlling the keys either, but I will agree it makes *more* sense. Just not much.
I think we've pushed this "anyone can grow up to be president" thing too far.
The fact is that Linus is still in charge of the 800-pound gorilla that Linux has become for one simple reason: he does a great job. He makes good decisions, manages the process well, and generally keeps things moving along well enough that no one is really even tempted to seriously try to fork the kernel in a way that pushes Linus out of the picture.
True, but chances are there is somebody better. Linus got the ball rolling, but how much of that was due to personal awesomeness vs. pure luck and being in the right place at the right time? Is your crush from when you were 14 in high school really the right choice for marriage? Yeah, she was cute, intelligent, and funny, but so are a hundred million other people -- you aren't even looking around.
Linus doesn't suck enough to have been ousted yet, that's all.
"Don't turn the power off" is a REALLY shitty design. Power can go off all by itself, ever seen a thunderstorm? Not every computer has a UPS and it takes a long time to install Windows, if you're doing it on battery power it's going off!
Whoever wrote that installation thing with "do not shut the power off" was a fucking moron. You, maybe?
You won't see stupid shit like that in Linux.
Everyone locks down ARM. It sucks when Microsoft does it, but no more than when Google does it (you can't boot whatever you like on ARM Chromebooks), or Samsung, or Apple, or...
Have you not noticed that tablets and smartphones are dissolving away the PC market? There won't be a big consumer market for x86 for much longer. "It's just ARM" is a really shortsighted assessment.
Why are you quoting from "Windows Hardware Certification Requirements for Client and Server Systems"?
How that can be applied to Linux or other systems? And more important, how it prevents Microsoft from changing those requirements?
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
"you can load keys of your choice"
I think this is the biggest, and most complained about, assumption in all the debacle. If it was true, the Microsoft key issue wouldn't exist (we'd just have a "Linus key" and that would be the end of it).
You can load your own keys in. It is not some sort of sham, or some sort of half-truth.
The arugment is how you load those keys in. Most utilities do it from the operating system, after assuring that the operating system isn't hijacked. This means OS lock-in, which is exactly why you would want UEFI Secure Boot. Lack of lockin is a vector for a rootkit / replacement with a tainted kernel / os.
So the real argument boils down to do you want to boot Windows to reconfigure so you can secure boot Linux without relying on the Windows key. Linus doesn't want to do that, nor does any major Linux vendor. The solution: have every motherboard ship with a Vendor Key for every Linux distribution; but, only one distribution tried that path to my knowledge, and they only could hit about 60% to 70% of the market, and they decided to ship with a loader signed by Microsoft's key. Of course, that loader does nothing except assure that the next stages are not signed.
Now, if your argument is about the quality of BIOS, that's a different story. There's always been something broken about a BIOS, but few people tend to complain, and few BIOS shops tend act quickly on such complaints.
They probably aren't going to be the only signing authority on most machines. For example if you were to buy a Samsung laptop, Samsung might decide to have their own master key.
That's true. Now, will Samsung decide to use it and risk incurring Microsoft's wrath?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You can support or oppose more open ARM entirely separately from the x86 discussion.
You cannot support Microsoft without supporting locked-down ARM platforms, because they are free to share money across their various divisions. That's why you must consider a corporation as a single entity. They insist we do so, but so does reality.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Microsoft doesn't expect to be the unique signing authority. They are trying to make sure there is one and acting as one. But they aren't really well setup for it. I don't think there would be any wrath if Microsoft could step away entirely from the signing business.
I'd assume Samsung's prime reason for supporting it would be for Android on x86 and Tizen development.
It's his fucking kernel you moron.
Dude, I hate to spoil it for you, but Linux kernel actually HAS been forked and the fork is massively more successful than the original. It is called Android.
I know this sounds crazy, but why not push for UEFI to allow users to install whichever keys they want into their BIOS. Microsoft can work with OEMs to have their key installed by default, but Linux users will be free to install the keys of their chosen distro themselves...then distros can sign whatever they need to and just distribute their cert.
It's secure, puts users in control and only requires Linux users to make a configuration tweak when installing...which is good preparation for using Linux. And, most importantly, doesn't give Microsoft any control over the Linux community.
Most governments can tax or subsidize as they will. So they are free to move money from one entity to any other entity. We don't say that doing any business with a society is supporting everything that society does. We weigh the complexities against one another.
Microsoft is mildly advancing lockdown on ARM. They are taking an already moderately locked down platform and further entrenching lockdown. On x86 so far they are providing a slight move towards avoid OS level hacks, a bit more security with little lockdown. Microsoft has a fairly long record of supporting open systems in hardware. Microsoft has a fairly long record of being hostile to open standards for software.
They are a bit of a mixed bag. But obviously supporting Microsoft is not supporting open system. Obviously there are some vendors that are more open, but not many. Sun was more open in terms of file formats but more closed in terms of hardware. I'm not sure who on ARM is really much better. I'd say right now http://jolla.com/ is probably the most open but it is unclear if they even intend to sell in the USA.
That's why I didn't make it. And yes, I have noticed that, but SB doesn't really seem like the logical place to make your glorious stand on the issue, to me.
Microsoft chose to provide SB keys because it wants to. Anyone can provide SB keys. You can, if you like; knock yourself out. The trick is in persuading hardware manufacturers to ship with firmwares that trust your keys.
Anyone could step up and offer to provide SB keys for other operating systems, and try to get hardware vendors to ship them. So far, no-one has done so. Red Hat does not want to because a) we don't want to be seen to be in a position of privilege versus other distribution vendors, and b) Red Hat as a company is not really set up to act as a trustworthy CA. (Neither is Microsoft, which is why they outsource a lot of the work to Verisign, but I don't think we can afford that).
The logical entity to do so for Linux would be the Linux Foundation. My understanding, second hand from pjones and mjg59, is that the LF looked into the possibility and said 'thanks, but no thanks'.
SB, per se, is just a mechanism for doing key verification, defined as part of the UEFI spec. The SB part of the UEFI spec doesn't say anything about Microsoft or anyone else providing keys, or make any requirements as to who should trust who else's keys. All of that is an implementation detail so far as the spec is concerned. The implementation that exists in the real world is that MS is providing keys for itself and offering to provide them for others for a nominal fee, MS has succeeded in getting hardware vendors to go along with Windows certification requirements that they enable SB by default and trust MS's key, and that no-one else is offering to act as a key provider to third parties. This reality could change, but it shows no immediate signs of doing so.
Red Hat maintains its own kernel. They can put whatever they want in it. Linus maintains his own kernel, and if people want to try and force him to include things, they have another thing coming. I don't know why that's so hard to understand. No one uses Linus's branch of Linux because they have to.
This is all very confusing to me. Im certain that I dont quite get it all yet. I just dont want to end up in a situation where Im required to hand control over to any single software or hardware company in order to run the software I TRUST. I could care less about Microsoft protecting their products against piracy. Good for them, do it. Because the tighter they hold on to their product, the more I expect others will find the value Ive found already in free operating systems and software.
In any case, to understand it a little more... I took a micro SD card with a linux installation on it down to my local Best Buy. Then I proceeded to reboot multiple computers to see if I could get linux running. In all case, I was able to get into the BIOS in order to get linux to successfully come up on those machines. I did this with about 10 or more computers to be sure and spread it across brands. Here is what I learned:
1. You have to shut of Secure Boot option and you need to turn off UEFI (to something like 'legacy' or 'CSM OS'). But all BIOS currently allowed this.
2. You cannot tell windows 8 to "SHUTDOWN" and expect to get into the BIOS. Shutdown simply performs a sleep to the hardrive... so you need to click "REBOOT" in order to have the computer recognize the Fn key to get into BIOS.
3. There is no standard on which keys to press to get into BIOS and it is not displayed on the screen during booting (not on any new computers at least). You have to guess and then try and try again... or read the computer manual I guess
4. Sony is the worst offender for having non standard BIOS access. I had to go home and research the manual to find out that BIOS accessed while the computer is OFF and then pressing a particular button on the side to bring up BIOS. Sony is strange.
5. The UBUNTU default kernel was able to detect and load all the sound cards, video cards, network cards that I tested it on. Although I think I also have the binary Broadcom module loaded, which may have helped.
6. I can "see" the Windows partitions of the main harddrive when I boot from the SD card into linux. However, when I wrote some files and made some directories, I was unable to "see" these changes when I rebooted into Windows. Although maybe I just didnt know how to find them... because I couldnt find the Windows shell terminal program I would use to easily navigate through the filesystem... and the Windows file manager is a real mess to use and ugly and seems to hide things from me for "my convenince" or something. Who knows what was going on... windows is a confusing and unfriendly operating system when you already know what you want to do. I would prefer the window manager not try to hold my hand so much while im busy working. Then again... maybe my attempts to write to the windows drive while running the linux OS was defeated by something in the BIOS security settings... although I though this was just for kernel and driver changes... but I repeat: I dont really understand what all this means.
7. In all cases I needed to restore the system to UEFI and Secure boot in order to get windows to run again. This would be a little irritating if I wanted dual boot and regularily switch between windows and linux. It would require BIOS access and changes for every switch. But not a big deal to me as I cant recall the last time I wanted to do that... nor can I recall a need for leaving any space on my hard drive for operating system i was forced to pay for but never used.
Anyhow... I do wish Microsoft all the best luck in stopping people from installing their OS on computers without pay for it. I really hope they succeed and drive more users to superior free software like linux. Maybe then we will get support to have manufacturing companies begin to honor the EULAs they write and start offering refunds for unused windows products. Because forcing the sale of one product on the condition of buying another is down right unamerican... as Sherman put it (https://en.wikipedia.org/wiki/Sherman_Antitrust_Act). And the
Dude, I hate to spoil it for you, but Linux kernel actually HAS been forked and the fork is massively more successful than the original. It is called Android.
Forked? I don't think that's an accurate characterization. Yes, Google modifies the kernel in some ways, but the Android kernel still tracks Linus' kernel.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
when i first saw the heading i was expecting from linus something like "we should just ignore uefi... it's just not that bigger deal"
i honestly don't really know what all the fuss is about
i'll keep buying mobos from my local store or online and (assuming the have it) uefi will be disabled by default and i will assemble my new pc's as per usual
as for how it may affect anyone else... i really just don't give a fuck :)
I know this sounds crazy, but why not push for UEFI to allow users to install whichever keys they want into their BIOS. Microsoft can work with OEMs to have their key installed by default, but Linux users will be free to install the keys of their chosen distro themselves...then distros can sign whatever they need to and just distribute their cert.
It's secure, puts users in control and only requires Linux users to make a configuration tweak when installing...which is good preparation for using Linux. And, most importantly, doesn't give Microsoft any control over the Linux community.
Exactly, something like Secure Boot is a good idea which would provide protection against unwanted changes. MS tried to hijack it by requiring it to be enabled for computers shipping with Windows 8, essentially making them unable to run anything not blessed by MS. When that backfired they changed their stance, allowing users to override Secure Boot in BIOS. I'm not sure what their position is on allowing users to use their own keys, thus benefiting from the security against changes without depending on Microsoft.
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!
I know your are an AC, but I am tasking you on behalf of the entire linux community to write and maintain the documentation for your grandma for every single UEFI bios/computer/variant out there on how to create and add a key.
Right, that is a huge task because every vendor is going to do it differently.
All of the above was encrypted with a Quad ROT-13 method. Unauthorized decryption is in violation of the DMCA.
How exactly is that a guarantee? It is nothing but words hosted on a Microsoft website. Those words could change tomorrow and a new era of computing would be introduced. One where nothing but Microsoft operating systems will run.
Hold on to your motherboards that were built under that policy because when the new motherboards come out, they will respect the new policy.
Is it really so easy to lead you to the guillotine? Wow.
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen